A sample working configuration is included for you to compare against your configuration.
This article is a part of the Dynamic VPN Resolution Guide: KB17220 – Resolution Guide – SRX – Troubleshoot Pulse VPN connections to SRX.
Symptoms:
Pulse client is not connecting to SRX, due to a configuration error.
Cause:
Solution:
If your Pulse client is not connecting to the SRX device, then first follow the steps in KB23031 – [SRX] Pulse client connection status is ‘Disconnected’, and it may refer you to this article to confirm your configuration.
Below is a working configuration for a Pulse client connected to an SRX. Problem areas in the config are highlighted for you to compare with your config.
system
system {
root-authentication {
encrypted-password "xyzxyzasdasdabcabc";
}
services {
web-management {
https {
system-generated-certificate;
interface fe-0/0/0.0; ## Specifying the interface is optional
}
}
}
}
interfaces
interfaces {
fe-0/0/0 {
unit 0 {
family interface {
## Listed IP should be entered as the Server URL in Pulse if fe-0/0/0 is IKE external interface
address 1.1.1.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
}
security
security {
ike {
proposal ike-prop1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 86400;
}
## Remember to set the mode to aggressive, else "IKE negotiations fail"
policy ike-dyn-vpn-policy {
mode aggressive;
proposals ike-prop1;
pre-shared-key ascii-text "asdasdxyzxyz##$$%%^"; ## SECRET-DATA
}
## Make sure the correct IKE Policy is specified
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
## connection limit should not be greater # of installed licenses
connections-limit 2;
ike-user-type group-ike-id;
}
## Make sure to specify the correct egress interface toward client
external-interface fe-0/0/0.0;
xauth access-profile dyn-vpn-access-profile;
}
}
ipsec {
proposal ipsec-prop2{
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
lifetime-seconds 3600;
}
policy ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-prop2;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-policy;
}
}
}
## Bind the Access profile with the Dynamic-VPN
dynamic-vpn {
access-profile dyn-vpn-access-profile;
clients {
all-clients {
remote-protected-resources {
192.168.0.0/24; ## Specify which traffic should go thru VPN
}
remote-exceptions {
0.0.0.0/0;
}
## Specify the correct IPSEC VPN name
ipsec-vpn dyn-vpn;
user { ## Username list should match the client names in [access] portion of config or defined on radius server
user1;
user2;
}
}
}
}
policies {
## Direction should be from outside to inside
from-zone untrust to-zone trust {
policy pol-dyn-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
## Specify the correct IPSEC VPN name
ipsec-vpn dyn-vpn;
}
}
}
}
}
}
zones {
security-zone untrust {
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
## IKE and HTTPS are mandatory on the external interface
system-services {
ike;
https;
}
}
}
}
}
security-zone trust {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
access
access {
profile dyn-vpn-access-profile {
client user1 {
firewall-user {
password "$9$bns4JGUH"; ## SECRET-DATA
}
}
client user2 {
firewall-user {
password "$9$km5FCt0c": ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 192.168.1.0/24;
xauth-attributes primary-dns 4.2.2.2/32;
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile; ##Specify the profile name defined under [edit access]
}
}
For more information on the above configuration fields, refer to:
If the problem is still not resolved after completing the steps above, collect the information listed in KB21781-[SRX]Data Collection Checklist – Logs/data to collect for troubleshooting, and open a case with your technical support representative. (Note the ‘IPSec – Dynamic VPN’ section for the additional data to collect.)
Related Links:
© 1999 – 2017 Juniper Networks, Inc. All rights reserved
Original source:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB22980&actp=METADATA
rtsd20 